A strong cybersecurity program is designed to protect the confidentiality, integrity and availability of a business’s information systems. These systems can include any computer or networked electronic system used by a business, and certain sensitive business and consumer information. Programs should be designed to perform three primary functions:
- Identify and assess threats and risks;
- Protect information systems and sensitive information from malicious use and unauthorized access; and
- Detect, respond to and recover from cybersecurity “events” such as breaches.
A business’s cybersecurity program should be overseen by a designated responsible individual, such as a chief information security officer. This person is responsible for enforcing the cybersecurity policy. Ideally, he or she will be supported by personnel who oversee the core functions of the program noted above.
Detailed cybersecurity policies should address a wide variety of security concepts, including: data classification; asset inventory and device management; access controls and identity management; business continuity; network and physical security; third-party service provider requirements; and incident response procedures. Businesses looking to protect their information and systems should consider building the following into a new or existing cybersecurity program:
- Written guidelines related to application security to ensure the use of secure development practices for internally developed applications and to evaluate the security of third-party applications.
- Risk-based policies and controls to monitor user activity and detect unauthorized access to or use of sensitive information. Controls may include multi-factor authentication or risk-based authentication.
- Policies and procedures for the secure disposal of sensitive information, consistent with retention requirements under existing laws and regulations.
- Controls, such as encryption, to protect any sensitive information held or transmitted by the business both in transit over external networks and at rest.
- Limited user access privileges to systems that provide access to sensitive information. The business should then periodically review those access privileges and adjust as necessary.
- Written policies and procedures relating to third-party service providers that address minimum cybersecurity standards and risk assessment.
- A written incident response plan for when cybersecurity events occur. This plan should designate roles, responsibilities, decision-making authority and processes for handling such events.
- A plan for vulnerability assessments that includes monitoring and testing to assess the effectiveness of the program.
- Regular cybersecurity awareness training for all personnel.
Once a program is set, you should then conduct periodic risk assessments that review policies, procedures and practices. These assessments should be governed by a written policy that establishes criteria for evaluating identified cybersecurity risks or threats and assessing the adequacy of existing controls in light of those risks.